Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Ransomware I just got on a server via RDS (HACK)


  • This topic is locked This topic is locked
16 replies to this topic

#1 northja

northja

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 04 January 2018 - 05:40 PM

.1BTC is the encrypted file name

Restore Files.TxT

 

Email address of dyamol@bitmessage.ch

 

I go to all sites and they cant say what kind of ransomware it is so I can't try to decrypt it.  Anybody have any info re: this?  thx



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:25 AM

Posted 04 January 2018 - 05:41 PM

I'm suspecting it may be a variant of LockCrypt based on submissions to ID Ransomware, but we will need a sample of the malware itself in order to confirm.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 northja

northja
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 04 January 2018 - 05:55 PM

Do you have a tool that can decrypt it?  thx a bunch... I think your right it is a variant of LockCrypt.  thx



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:25 AM

Posted 04 January 2018 - 06:13 PM

There is no decryption tool available.

Demonslay335 said he needs a sample of the malware itself in order to confirm.

Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 northja

northja
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 04 January 2018 - 06:42 PM

Will do, I will do that when Im back in the office later tonight. Thx guys!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:25 AM

Posted 04 January 2018 - 06:51 PM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 northja

northja
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 04 January 2018 - 07:59 PM

Uploaded it.. thx a bunch guys!!



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:25 AM

Posted 04 January 2018 - 08:04 PM

Ok. Please be patient until Demonslay335 has a chance to review the submission,
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:25 AM

Posted 04 January 2018 - 08:09 PM

You uploaded an encrypted file. We need the malware executable, the virus that actually encrypted the files.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 northja

northja
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 04 January 2018 - 08:17 PM

Dont have that, it was through a Remote Desktop connection that they hacked. They did it and covered their tracks

#11 northja

northja
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 05 January 2018 - 12:14 AM

I just went back to the server and it looks as if my AV picked it up what they put down..

File.exe

RAP.exe

 

I uploaded them to your area.. thx



#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:25 AM

Posted 05 January 2018 - 03:33 AM

The first executable is a Monero coinminer (for user "ventfasad-sv@mail.ru" it seems). Still pending analysis on the second sample.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 Amigo-A

Amigo-A

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:08:25 PM

Posted 05 January 2018 - 04:23 AM

northja
 
The address dyamol@bitmessage.ch was in the ramsom-note or it's your email?

Edited by Amigo-A, 05 January 2018 - 04:33 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 


#14 northja

northja
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 05 January 2018 - 06:34 AM

In the ransom txt file

#15 Amigo-A

Amigo-A

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:08:25 PM

Posted 05 January 2018 - 03:28 PM

northja

 

Thank you. Added this variant.

Previously, had purely_purely2@aol.com and purely_purely2@bitmessage.ch

 

LockCrypt Ransomware


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users